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Abstract 

In static analysis by abstract interpretation, one often uses widening operators in order to 
enforce convergence within finite time to an inductive invariant. Certain widening operators, 
including the classical one over finite polyhedra, exhibit an unintuitive behavior: analyzing the 
program over a subset of its variables may lead a more precise result than analyzing the original 
program! In this article, we present simple workarounds for such behavior. 

1 Introduction 

During experiments, we found examples over which classical polyhedral analysis [§[, even with alter- 
native widenings Q, would fail to discover some simple program invariants, which could sometimes even 
be discovered by interval analysis. This would even happen on simple loops, e.g. for(int i=0; i<N;i++), 
if the loop contained a nested loop not touching i: the analysis would not discover i > 01 It is counter- 
intuitive that difficulties in analyzing the behavior of the program on other variables should lead to 
imprecise results for i. 

In some of these examples, such as this simple loop, the lost invariants could be easily recovered by 
syntactic pattern-matching, but such techniques are brittle. We therefore searched for techniques in- 
spired by our intuition that poor results on certain variables should not impact variables not depending 
on them. 

1.1 Generalities and Notations 

We consider the strongest invariant of a loop (or, more generally, of a program), defined as the least 
fixed point lfp ^ of a monotone operator * over sets of program states |6|. For instance, in program^ 
the strongest invariant of the loop is the least fixed point in (CP(Z x Z), C) of the operator 

*(X) = {(l,0)}U{(* + l,i + i) | (i,j)€XAi<5} (1) 

Explicit-state model-checking computes such invariants as explicitly represented sets of states (that 
is, for each state there exists some little data structure). Implicit-state model checking uses compact 
representations of such sets, such as binary decision diagrams, and computes the least solution of 
&(X) = X by finding the limit of the ascending sequence Xo = 0, X n+ i = $(X n ); for systems with 
at most n states, this limit is reached within at most n iterations. For infinite state systems such as 
software programs^ such an approach is infeasible, because (a) the sets of states Xi may be large (or 
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1 One of the authors once heard the remark that a program without dynamic allocation or recursion was just a finite- 
state automaton, thus all properties are decidable, including halting. For the purpose of practical analysis, except for 
very small and simple programs, such state spaces are so large that they should be treated as infinite. 



even infinite, if infinite nondeterminism is used) (b) the sequence may not converge within a finite 
number of iterations. 

Abstract interpretation 0,[H| solves point (a) by replacing arbitrary sets of states by over- approximations ; 
for instance, a set of points in Z n or Q™ may be replaced by an enclosing convex polyhedron Ill.l8l.ll2l]. 
A given analysis thus restricts itself to a given abstract domain of sets of states; in this article, we 
focus, as an example, on the domain of polyhedra, but there exist many other abstract domains, for 
numerical [l6| or non-numerical states. The operator VP on concrete states is replaced by an abstract 
operator satisfying a soundness condition <£~(A J ) C vj/tl(x B ) for all A'H 

Problem (b), that is, failure for the sequence X^ +1 = ^(Xfyto become stationary, remains if the 
abstract domains contains infinite strictly ascending sequences^ this is for instance the case of the 
domain of convex polyhedra. Some form of convergence acceleration is thus needed. Starting with 
Uq = 0, upwards iterations with widening 0, Q computc|f| 

«*+i = «Hv(4u*«(u*)) (2) 

x U y is such that x,y C xUy (in the case of polyhedra, U is generally taken to be the convex 
hull), and V is a widening operator, such that for all x C y, y C xS/y [soundness property), and any 
sequence of the form it„_|_i = tJ,Vi>^, where is any other sequence, is stationary: after a certain 
N, it is constant (termination property). Then, ^(u^ N ) C ^(u^ N ) C u^ N V(u^ N U ^/"(u^)) = v? N , thus 
^( u 5v) Q u ?v wn i c h means that u^ N is an inductive invariant of the program, in which the strongest 
invariant is included. 

Once an inductive invariant v? N is obtained, it may be refined by narrowing iterations, which in 

practice generally consist in computing ^ k (u^ N ) until the sequence becomes stationary or k exceeds a 
preset limit. 

Widening operators have various unpleasant properties. The best known is that they bring impre- 
cision: the result of widening/narrowing iterations may be strictly larger than the least element of 
the abstract domain that is an inductive invariant, let alone an invariant (in Sec. Owe shall list some 
alternative approaches that do not suffer from this inconvenience, at the expense of generality). The 
contribution of this article is a generic method to reduce some of the imprecision induced by widening. 



1.2 Motivating Example 

Classical polyhedral analysis when applied to Listing [T] discovers that «>lAi<5isan invariant 
at the head of the loop. Yet, running the same analysis on Listing [2] yields i < 5 but not i > 1. 

2 Some presentations of abstract interpretation distinguish the abstract element X* from the set of states j(X') that 
it represents. In this article, we chose not to, in order to simplify notations. 

3 Again, for practical purposes, it suffices that there exist exceedingly long finite ascending sequences for analysis to 
become unfeasible. 

4 Following the usage in APRON 14], our definition of uS/v assumes that u C v; if this is not the case, use us/(u U v) 
instead. 

5 One may try examples on B. Jeannet's online Interproc analyzer at http: //pop-art . inrialpes . f r/interproc/interprocweb. cgi 
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Listing 1: Loop until 5 

int i=l; 
while (i<=5) { 
i = i +1; 

} 

Listing 2: j = i(i + l)/2 

int i=l, j=0; 
while (i<=5) { 

j=j+i ; 

i = i +1; 

} 

This example is not fortuitous: it models how to address consecutive lines of a matrix in lower 
triangular packed storage mode. In that memory-effective approach, the matrix is stored in memory 
as a unidimensional array, each line next to the preceding one, and line number i only uses i positions 
in the array: j is the index of the start of the line in the array. 

Program [1] is an abstraction of Program [2 each execution of the latter maps to an execution of 
the former. Yet, the analysis of the former produces a more precise loop invariant than the analysis 
of the latter. This is an example of the non-monotonicity of analyzes using widenings, a long-known 
phenomenon 7 b ex. 11]: a more precise abstraction may ultimately lead to less precision in the final 
analysis result. 

Analysis of Program [5] with the basic upwards iteration and widening scheme (widening at every 
iteration) Q , using the standard widening on polyhedral yields the successive polyhedra 

• i = 1 A j = 

• — i + j > — 1 A i > 1: draw a line through the first two reachable states and obtain a polyhedron 
in generated by vertex (1,0) and ray (1, 1); 

• —i + j> —1 A 7i — 4:j > 7: polyhedron in (i,j) generated by vertex (1, 0) and rays (1, 1) and 
(4,7). ' 

So far, so good: such polyhedra still imply i > 1. At the next iteration, however, this constraint 
is lost and one gets the polyhedron —i+j > — 1, and finally T, the whole plane. The constraint 
i < 5 is recovered by one step of downwards iteration. Analysis with the improved widening proposed 
by Bagnara et al. [§j, as implemented in the Parma Polyhedra Library, yields a different iteration 
sequence, but still reaches T at the end. 

If one runs a polyhedral analysis on Program [TJ one gets the inductive invariant 1 < i < 5, which 
is also valid for Program [5] Intersecting this invariant with the output of the widening in the analysis 
of Program [2] yields a reasonably precise polyhedron (Table Q}. 

Thus, the basic idea of our method: run preliminary analyzes over abstractions of the program 
obtained by removing some of the variables, in order to refine the analysis of the complete program. 
In order to further convey our intuition, let us remark that Prog. [5] is the result of loop fusion over the 
following program : 

for(i=l; i<=5; i++) t[i]=i; 
for(i=l; i<=5; i++) j += t[i]; 

Normal forward polyhedral analysis on this program will find good invariants for both loops. In 
particular, the second loop may not perturb analysis of the first loop. It seems reasonable that the 
same applies to the code after loop fusion. 

6 The standard widening on polyhedra P1V5P2, in intuitive terms, suppresses from P2 constraints not present in Pi. 
In reality, its correct definition contains subtleties regarding polyhedra of dimension less than the dimension of the space, 
and the original definition Q had to be corrected recalls the corrected definition. 
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Tabic 1: Comparison of classic static analysis (upward iterations with widening V followed by descend- 
ing iterations) and stratified static analysis on Program [2j Classic analysis loses the constraint i > 1 
and finds T in 5 iterations. The upper bound i < 5 is found with one narrowing iteration. Stratified 
analysis on the stratum consisting of variable i first finds 1 < i < 5. Then, it analyzes stratum i, j 
and intersect with result of stratum i. A fixed point is found after 4 iterations last line). The 
table also shows the polyhedra found after two narrowing iterations. The resulting polyhedron, even 
without narrowing iterations, is much more precise than the one found by classic analysis. 



The same code could have been the result of the compilation into C of a data-flow program (e.g. 
Simulink or Lustre) consisting in a ramp generator and an integrator: 



ramp 1 ... 5 



Again, it seems natural that the analysis of the integrator should not hamper the analysis of the ramp. 



2 Stratified Analysis 

We have investigated two approaches. In stratified analysis, we successively perform several static 
analyzes by abstract interpretation, the results from each analysis being used to refine the following 
ones. In stratified widening, a single analysis pass is performed, but with a widening improving on and 
derived from the traditional widening on polyhedra. 

2.1 Dependency Strata 

We consider a set S of subsets of the set of variables V of the program, such that V 6 S; we order it 
by inclusion. An immediate predecessor of S £ S, denoted by S' -< S, is S' such that S' C S and there 
is no 5"' such that S' C S" C S. 

In practice, if we have a relationship v\ — >• V2 meaning u v\ flows into «2 through some computation" 
or "t>2 depends on ui", then the elements of S are, in addition to V itself, subsets S of V closed by: if 
v G S and v' — > v, then v G S. One way to construct such subsets is to compute for each variable v 
the set S(v) = {v' | v' —> v}, and add this set to S unless it is already present. For better efficiency, 
one computes the strongly connected components of — >, and takes S(v) for one v in each component. 
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Note that — > needs not be the semantics dependency relation, which takes into account both data 
and control dependencies. In intuitive (and imprecise) terms, a variable x is said to be data-dependent 
on a variable y if x is assigned to by an expression where y appears; a variable x is said to be control- 
dependent on a variable y if x is assigned in a program branch executed or not executed according to 
the value of y. Collecting all program elements on which a variable depends, through data or control 
dependencies, is known as slicing [27j. If — > takes into account all dependencies, then S(v) is the slice 
of variables on which v depends. 

A helpful intuition of our method is that it performs analyzes on program slices of increasing size; 
but this is somewhat misleading, because we do not make any assumption on — > and thus it does not 
necessarily reflect all dependencies. In particular, ignoring control dependencies, compared conven- 
tional slicing, may produce simpler slices, of a more manageable size — X. Rival, when developing 
the Astree static analyzer, observed that, for many variables, the slice corresponded to approximately 
80% of the code, thus slicing did not significantly simplify the program (l9| . 



2.2 Informal Definition 



Let S be a subset of the variables in program P. We note Pig the program P where all references to 
variables outside S have been replaced by nondetQ nondeterministic choices. 



Program P 

int i=l, j=0; 
while (i<=5) { 
j=j+i ; 

if ( j % 2 == 0) i = i+l; 

} 



P| 5 forS = {i} 

int i=l; 
while (i<=5) { 

if (nondet()) i = i+l; 

} 



For any program P, let C(P) be its collecting semantics: the set of reachable states of P. In 
order to simplify notations, for S C S', we identify sets of states referring to the variables in S with 
their completion by all values for variables in S' \ S. For any S, Pis is a safe abstraction of P: 
C(P) C C(P\ S ). More generally, if S C S', C(P\ S >) Q C(P\ S ). 

For any program P, let A(P) be the result of static analysis of P. Correctness of the analysis 
means C(P) C A(P). Let A(P,K) be the result of the static analysis of P where the semantics of P 
is restricted to states in K: in other words, all states outside of K are removed from the transition 
relation. For any K D C(P), C(P) C A(P,K). 

For each 5 G 5, we compute the intermediate analysis result R(S) after all R(S'), S' -< S, have 
been computed, as follows: 



R(S) = A P ls , p| R(S') 



(3) 



S'^S 



Remark that in this formula, we could have made S' to range over all predecessors without changing 
the result; however, this would have been less efficient. 

By induction on the length of the ^-chains, for all S, R{S) D C(P\ S ). At the end, R(V) 3 C{P) is 
a correct analysis result for the whole program; in fact, any R(S) 3 C(P), so one can stop the analysis 
at any step, for instance because of a time limit. 

This is the analysis performed in §1.21 with S = {{i},{i,j}}- 



2.3 Formal Definitions and Variants 

Let S £ S. We assume that the result R(S') of the analysis for all S' -< S has already been computed. 
Let = C\ S '-<s i? ( 5 "); w e assume that lfp * C R(S') for all S' -< S and thus that lfp * C KK 
The analysis described at Eqn. [3] is defined by the sequence: 

u{ +l - u« v(u» u (**(«« n k*) n k*)) (4) 
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We compute the limit R(S) — u^ N of that stationary sequence, and output u N PI KK 

Let us note ^^(X) = fy(X PI A) (1 A. In other words, is *f? with everything outside of A being 
discarded. The following lemma means that we do not change the strongest invariant by throwing out 
unreachable states in the definition of the semantics, which is intuitive. 

Lemma 1. Ifp = Ifp for any A D Ifp 

Proof. Ifp is the limit of the ascending sequence defined by Xq = 0, X n+ i = ^^ A (X n ), Ifp ^ that 
of Y Q = 0, Y n+ i = #(Y„). By induction, for all n, X n = Y n . □ 

Corollary 2. u^ N , and thus u^ N n , includes Ifp ^, that is, the reachable states. 

Proof. Proof Because y C xVy and y C xUy for all ^'(w^v Hif") flif" C an d thus ^^(u^) = 
*(m5v n iff) n iff C m^. Thus, Ifp C u%. The result follows from the lemma. □ 

We conclude that, by induction over -<, for all S, Ifp C R(S). 

We shall now describe a subtly different iteration scheme, which supposes some additional properties 
of V: 

Definition 3. We say that V satisfies the "up to" termination condition if for any fixed K$, any 
UqC K$, any sequence v| C the sequence defined by = V^jj Hif" is stationary if u\ C 
for all u. 

This property ensures the correctness of widening "up to" [12], a well-known improvement to 
widening, and is true of the standard widening on polyhedra as well as Bagnara et al.'s improved 
widening 0, p. 53]. Using the same notations and hypotheses as above, we use this iteration: 

= («!lv(«» u (*«(«*) n #»))) n (5) 

Again, once we get a stationary value in this sequence, then it is such that Ifp *f> C it^-: 
Lemma 4. If v? N+1 C m Eqn.\5^ u^ N includes Ifp i/ie sef of reachable states. 

Proof. Proof ^(u^) Pi if" C ^"(it^-) n if' C uJv +1 C u^v, from the correctness of Furthermore, by 

construction, m^v £ tnus *( w ?v) n ^ B = *|k«( u 5v)- *|a:»("5v) £ u^, thus Ifp &\ Kf C u^. The 
result follows from Lem. [1] □ 



3 Stratified Widenings 

An alternative to the method described in the preceding section, which runs successive analyzes of 
increasing precision, is to run a single analysis over a reduced product [5j of polyhedral domains, but 
with a special widening operator. We shall provide two options for that operator. 

3.1 Widening with or without Reduction 

We distinguish the internal state (Ps)s&S of the iteration sequence from the set of states represented, 
as m The various abstract operations will therefore continue operating on polyhedra as usual: 

only the widening operator is replaced. 

Our widening operators will take a tuple (Ps)s£S as a first argument and single polyhedron Q as 
a second argument. A tuple (Ps)seS represents the polyhedron 

l((Ps)ses)= f| P s-> (6) 
ses 

the tuples are ordered point-wise, (Ps)ses E (Qs)seS if and only if for all S, (Ps) C (Qs)- 
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We note irs(P) the projection of polyhedron P onto the variables in S. If S C S' , a polyhedron on 
the variables in 5 shall be also considered as a polyhedron on the variables in S' by keeping the same 
constraints. This means, in particular, that P C tts(P) for any P and S 1 . 

The first widening operator is very simple: 

(Ps)sesViQ = (P S V7r s (Q))ses (7) 

where V is any widening on polyhedra. This widening converges because each coordinate converges, 
since V is a widening. It is obvious that, if (Ps)ses is the resulting limit, then 7 ((Ps)ses) is an 
inductive invariant. 

The second widening applies internal reductions. (Rs)sgS denotes (Ps)seS ^2(Qs)ses- We com- 
pute the Rs in ascending order with respect to -<, with the convention that the intersection of zero 
polyhedra is the full polyhedron: 

Rs = (PsVnsiQ)) n fl R S ' (8) 

S'^S 

Theorem 5. Assuming that V is a widening satisfying the "up to" termination condition (Def.\3\), 
V2 is a widening. 

Proof. Proof Let i/ n+1 ) = u^V2V^ n ' be a sequence, with C v^ n ' for all n; each element 

(n) (n) 

consists in u s for S € S. We prove that for all S G S the sequence u s is stationary, by induction 

over -<. 

For S with no predecessor, (u^) is of the form u^ l+1 ^ — vfg^VVcp, and the result follows from V 
being a widening. 

Consider now the property satisfied for all S' -< S. For all S' ~< S, (ug^) is stationary; thus there 

is a N such that for n> N , all (v,g, ) for S' ~< S are constant. Hs'^s ^S' ^ s ^ nus constant for n > N. 
The results follows from V being a widening satisfying our additional property. □ 

Instead of polyhedra, one may use other abstract domains fitted with an operation n such that 
a ("1 b C a l~l b for all a, 6. Let us however note that Vi and V2 yield the same results as the ordinary 
widening V if applied to domains, such as difference bound matrices or octagons [l6| where V and 
projection commute: t^s{P)^'^s{Q) — 7r s(Pv , Q), and therefore that they bring no improvement for 
such domains: the Ps are just projections of Py. More precisely: 

Lemma 6. Assume that 7rs(P) V7rs(Q) = 7rs(PvQ) for all P and Q. Any iteration sequence of the 
form p(" +1 ) = p( n ) v<2(™) then satisfies, for all n and S 6 S, Pg = Ks(Pffl)> assuming this equality 
holds for n. = 0. 

Proof. Proof Regarding Vi: by induction over n, for any S, P^™ +1) = P { s n) V7r<?(Q (rl) ) = 7r s (P^ n) )V7r s (Q) = 
vrs(P^ ) vg) = 7 r s (p(" +1 )). 

Regarding V2: by induction over n, then by induction over S with respect to (pj n) V7r s (Q( n ))) n 

rw4? +1) = (^(4 n) ) v ^(« (n) )) n n5^ s ^'(4 n+1) ) =^(4 n) v7r s (gW))nn s ^ s ^(p^ +1) ) = 

7r s (P v " +1) ) n n s ^s^'(4" +1) ) = ^(P£" +1) ), since for any X and 5' >- 5, 7T S ,(X) n ir s (X) = 
irs(X). □ 

3.2 Generalized Reduction Leads to Nontermination 

Communicating information between several abstract domains used at the same time is sometimes 
referred to as a closure or reduction operation. Our V2 operation includes a partial closure, with 
information flowing from a to b if a -< 6, but not the reverse. One could wonder about applying 
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reductions in all directions. Unfortunately, we would lose the termination property of widening, as 
demonstrated by the following example. 

Listing 3: Alternating increments 

int i=0, j=0; 
while (true) { 

if ( i <= j ) i++; else j + + ; 

} 

This loop has different behaviors on odd and even iterations: at iteration In, i — n and j — n; at 
iteration In + 1, i = n + 1 and j = n. The results of a static analysis with polyhedra on and 
unions instead of widenings, are, in constraint form: P\ n : P" A i < n and Pj„_i_i : P" A j < n, P" 
denoting i>j/\i<j + lAj>0 (we identify P" with the conjunctions of the constraints that define 
it). If for the iteration n — 4 we use widening jf| we instead obtain P| = P", which is an inductive 
invariant. 

We have established that this program poses no challenge to "classical" polyhedral analysis. The 
same is true if we apply one of the analyzes of Sec. [2] or one of the widenings of Sec. 13.11 Let us now 
see what happens if we modify the V2 operator of Sec. 13.11 bv allowing reductions not following -<. 

Instead of the definition given at Eq. [HI we instead initialize all R$ to PsV7rs(Q), then apply some 
replacements, or reductions, of the form: 

Rs :=R S n p| n s (Rs>) (9) 

S'^S 

If we reach a fixed point for this replacement system, using the terminology from octagons [3| , we say 
that we have applied the closure operation. 

Let us first remark that 7 ({Rs)ses) 1S left unchanged any number of such reductions: 

Lemma 7. Let (R' s )s^s be the same as (Rs)sgS except that R' Sa = Rs n fls'^So ""SoC^S')- Then, 
l((R's)ses)=l((Rs)ses)- 

Proof. Proof 7 ((p^)s eS ) = n S€S R 's = i ((Rs)ses)nr\ s ^ So ^ (Rs') =-r{(Rs)szs)rV\ 8 , eS * 3 {R s >). 

Since R s > C tt So (Rs') for any S' , Cls'es ns(Rs') 2 Cls'es R S' = 7 ((R's)ses)- The result follows. □ 

Because 7 ((Rs)ses) does not change, after the reductions, 7 ((Rs)ses) is still the same as 7 (PvQ). 
Our new "widening" thus verifies the soundness property (see Sec. 12. 3[) : the problem is that it docs 
not verify the termination property! 

Let us have S — {{i}, {j}, {i, j}}; instead of P{i}, P{j] and P{i.j} we shall respectively note P, 
and PK At iteration n, we shall therefore have a polyhedron l\ on {i} (thus, an interval) and one 
polyhedron j| on {j} in addition to the polyhedron P| on {i, j}. If using unions instead of widenings, 
we have l| n = [0, n], i|n+l = [0> n + !]> = [0; n ] anc l ^ln+i = Consider now using widening 

at the iteration n = 4. if = j| = [0, 2], but jj = [0, +00). 

Let us now apply the closure operation: we replace P\ = P" by its intersection with l\ and obtain 
P' A i < 2; then we replace jj by its intersection with the updated P\ and obtain [0, 2]. At the next 
iteration, with the roles of P and j" reversed, we obtain j| = [0, 3], j| = [0, 2] after closure, and then 
/| = [0,3], J 6 » = [0,3]. 

The iterations with widening followed by closure behave, on P and J", like those with unions — 
and they do not converge within finite time. Observe that this happens because we alternatively reduce 
P ->■ Pf ->■ Jf and J B -> P J ->■ P, whereas the definitions of SecfOonly allow P -> P" and J B -> P J . 

7 The fact that widenings followed by reductions with cycles (reduce a using b, then reduce b using a) may not ensure 
termination is already known. For instance, closure in difference-bound matrices and octagons breaks termination. [Tf3 . 
example 3.7.3, p. 85] 

8 Applying unions at n first iterations and then applying widening is a standard technique known as delayed widening. 
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4 Experimental Results 



The stratified analysis presented in section [21 in both variants (Eqn. [Hand Eqn. [5]), was evaluated 
against the classical analysis described by Eqn. |5]on a set of benchmarks used by STMicroelectronics 
in the development cycle of its compilers, in addition to a few specific examples such as the one from 
Sec.O 

LA Kernels is a set of benchmarks internally used for the evaluation of compilers code generators 
and optimizations. It is mainly composed of small computational kernels representative of the target 
applications of STMicroelectronics (audio and video stream processing, embedded device control), 
associated with a testing harness to be able to run them on the target processor. It contains 63 
functions, of which 49 contain at least one loop. Loops have to exhibit some properties, like a non- 
linear relation between variables in the loop scope, in order to benefit from this method. Stratified 
analysis finds a more precise invariant for 5 of these functions. 

Among these 5 functions, discrete cosine transform has three nested loops. The intuition of why 
stratified analysis performs better is it obtains an invariant for the indices affected by the outer loop 
before attempting to analyze the inner loop, thus preventing imprecisions during the inner loop analysis 
to affect the invariant on the outer loop indices. 

The dependency relation used to create the strata is based on a modified dataflow graph; strongly 
connected components (SCC) are reduced to super-nodes, while keeping the existing dependency re- 
lations. Initial strata stem from the root nodes of this SCC dependency graph, additional ones are 
created by following the dependency relations until one stratum encompasses all variables in the de- 
pendency graph. In the while loop of the listing [21 the variable j depends from i ; the SCC nodes 
simply consist of {i} and {j}, and the analysis creates two strata {i} and {i, j}. 

The two variants of stratified analysis described by Eqn. [4] and Eqn. [5] find the same results, and 
in all cases find invariants equal to or stronger than those obtained by the classical analysis. Bagnara 
et al.'s alternate widening [2] yields iteration sequences different from those obtained by the classical 
widening, but ultimately finds the same invariant; thus, our approach improves on theirs on this 
benchmark set. 

Table [21 shows the number of variables in the outermost stratum, along with the number of strata 
considered by the analysis and its overhead with respect to the standard analysis using only the classic 
widening. Some programs exhibit a large number of strata, impacting the cost of the analysis. It is 
possible to run the expensive stratified analysis after a first cheaper standard analysis, while focusing 
on certain loop nests (those reaching T for instance). 



Function 


# of vars 


# of strata 


Overhead 


autocorrelation 


9 


8 


5.55x 


binary search 


2 


2 


1.95x 


discrete cosine transform 


27 


17 


9.79x 


integer power 


2 


3 


2.29x 


listing 2 


2 


2 


1.66x 



Table 2: Number of variable in the last stratum, number of strata and overhead of stratified analysis 
for programs that benefit from this method. The baseline for overhead measures is the classic analysis 
using bare widenings, without delay or widening- up-to) . 

We rely on the APRON numerical abstract domain librarjjf 14 1 for all abstract domain compu- 



tations. APRON implements, among other domains, convex polyhedra with the classical widening 



with linearization of nonlinear expressions following Mine's approach 15]. In addition, in order to 
compare with Bagnara et al.'s alternate widening, we used the Parma Polyhedra Librar £3 (with 
the classical widening, the PPL produces exactly the same results as APRON up to equivalence of 
constraints, thus providing a means to test for possible bugs in the polyhedral computations). 



9 http: //apron. cri . ensmp.fr/library/ 
1[ http: //www. cs .unipr . it/ppl/ 
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5 Related Work 



It has long been recognized that analysis using polyhedra over all variables in a program, or even all 
variables in a single function, is unfeasible because of the high complexity of polyhedral operations 
in higher dimensions. This is also true of weaker domains such as octagons. For this reason, the 
Astree analyzer uses relational domains only on "packs" of variables [H, HJ: for instance, if we have 
four variables a, b, c, d and two packs {a, b} and {&, c, d}, the analysis will track relationships between 
a, b and b, c, d separately: no direct relation will be established between a and d. 

A related approach is factoring of polyhedra fl3j ] : when a polyhedron P is a Cartesian product P\ x 
. . . xP n of polyhedra in lower dimension, with respectively Vi vertices (or, more generally, generators), it 
is often advantageous to keep this product representation as much as possible instead of considering it as 
a polyhedron of Y[i Vi vertices, because of algorithms that need to work on the generator representation. 
An alternative is to dispense totally with the generator representation [23|, [22[ • 



The literature on slicing is abundant, since the early 1980s [27| . Syntactic slicing extracts all 
program statements, variables etc. that affect the value of variable v, or, rather, a safe superset 
thereof. The resulting slice is executable, which is interesting for testing or debugging methods, but 
less so for abstract interpretation; this is why we may use lax dependency relations (Sec. 12. ip . since 
we in effect replace any unknown dependency by nondeterministic choice. Semantic slicing relaxes the 
requirement that the resulting program be a _syntactic subset of the original program [261 ] . X. Rival 



considers a form of abstract semantic slicing [19j, |20j , where program executions are restricted to those 
affecting the reachability of undesirable program states (alarms); in contrast, our method does not 
suppose we have a set of properties (absence of alarms) to prove. 

The design of widening operators is surprisingly difficult. The original widening operator on poly- 
hedra [8( was sensitive to syntax: different ways of representing the same polyhedron in constraint form 



yielded different widened polyhedra; this problem was later fixed 11| . Because the result of iterations 
with widening is non-monotonic, precision is highly heuristic: in particular, replacing a widening op- 
erator by one producing smaller polyhedra at each iteration does not necessarily translate in a smaller 
invariant in the end 0, p. 42]. 

Despite this caveat, many widening operators have been proposed for convex polyhedra 0, p. 30] 22] . 
Many are variants on the classical widening: some apply union in lieu of the classical widening in a way 
that does not preclude termination [2j; the "up to" widening, also known as widening with thresholds 
or limited widening [ljj], extracts possibly relevant constraints from the program and keeps in PvQ the 
constraints from that set satisfied by both P and Q; a related idea is widening with landmarks, which 
uses estimates of the number of supplementary iterations necessary to enable a currently disabled 
transition [241] : widening with a care set uses a proof goal and counterexamples in order to guide the 
widening [251 ] . Our approach is largely orthogonal to these, and in fact can be combined with them. 

In the recent years, there has been much interest in techniques for inferring invariants without 
doing conventional Kleene iterations. Policy iteration (also called strategy iteration; the technique 
is inspired by game theory) exists in two flavors. Descending policy iteration solves a descending 
sequence of least fixed points of simpler operators; these least fixed points may be solved approximately 
using widenings, thus this technique is orthogonal to ours. In contrast, ascending policy iteration [lCf 
and other techniques based on constraint programming [2l| or quantifier elimination ] IS] provide some 
optimality guarantees, but impose restrictions on the kind of program instructions supported. Such 
restrictions may be lifted by abstracting program operations into the supported subset [16| , which may 
in turn entail an outer loop with widenings. 

We finally note that nothing in our approach is specific to polyhedra, or even to numerical domains. 

6 Conclusion 

Following our intuition that failure to analyze well parts of a program should not negatively influence 
precision on other parts not depending on them, we proposed four analysis schemes: two proceed 
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by analyzes of restrictions of the program code to variable subsets, the other ones use alternative 
widening operators. Though we focused on improving the classical polyhedral analysis, two of our 
methods apply to any abstract domain, and the two other ones make a reasonable assumption on the 
underlying abstract domain and its widening operator. 
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